A list to discuss DNS Resolver Identification and Use.
The IETF has added additional methods for DNS stub resolvers to get to
recursive resolvers (notably DNS-over-TLS, RFC 7858), and is about to add
another (DNS-over-HTTPS, from the DOH Working Group). As these have been
developed, questions have been raised about how to identify these resolvers
from protocols such as DHCP and DHCPv6, what the security properties these
transports have in various configurations (such as between strict security
and opportunistic security), and what it means for a user who has multiple
resolvers configured when the elements of the configured set have different
transports and security properties.
Some of the topics that would be on-topic would be:
How to identify DNS-over-different-transport in protocols such as DHCP, and
in user-accessible configuration
Security properties of the various flavors of transport-secured DNS
TLS authentication when the identifier is an IP address (which is most
common for identifying DNS resolvers)
How resolvers can express their capabilities to clients who might care
(such as "this resolver does DNSSEC validation" or "this resolver passes
client subnet information to authoritative servers")
Identifying a resolver in the "dns:" URI scheme in RFC 4501. A related
question is whether there should be a "dnss:" URI scheme whose semantics
mean "Look up this name, but only use a secure DNS server", where "secure"
would need to be defined.
To see the collection of prior postings to the list,
visit the DRIU
Archives or DRIU MHonArc Archives.
Subscribe to DRIU by filling out the following
You will be sent email requesting confirmation, to
prevent others from gratuitously subscribing you. This is a private list, which means that the
list of members is not available to non-members.